<!DOCTYPE html>
<html lang="en-us">
  <head>

    <meta http-equiv="content-type" content="text/html; charset=utf-8">
    
<meta charset="UTF-8">
<title>Scripting and security | Elasticsearch Guide [7.7] | Elastic</title>
<link rel="home" href="index.html" title="Elasticsearch Guide [7.7]">
<link rel="up" href="modules-scripting.html" title="Scripting">
<link rel="prev" href="modules-scripting-fields.html" title="Accessing document fields and special variables">
<link rel="next" href="modules-scripting-painless.html" title="Painless scripting language">
<meta name="DC.type" content="Learn/Docs/Elasticsearch/Reference/7.7">
<meta name="DC.subject" content="Elasticsearch">
<meta name="DC.identifier" content="7.7">
<meta name="robots" content="noindex,nofollow">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <script src="https://cdn.optimizely.com/js/18132920325.js"></script>
    <link rel="apple-touch-icon" sizes="57x57" href="/apple-icon-57x57.png">
    <link rel="apple-touch-icon" sizes="60x60" href="/apple-icon-60x60.png">
    <link rel="apple-touch-icon" sizes="72x72" href="/apple-icon-72x72.png">
    <link rel="apple-touch-icon" sizes="76x76" href="/apple-icon-76x76.png">
    <link rel="apple-touch-icon" sizes="114x114" href="/apple-icon-114x114.png">
    <link rel="apple-touch-icon" sizes="120x120" href="/apple-icon-120x120.png">
    <link rel="apple-touch-icon" sizes="144x144" href="/apple-icon-144x144.png">
    <link rel="apple-touch-icon" sizes="152x152" href="/apple-icon-152x152.png">
    <link rel="apple-touch-icon" sizes="180x180" href="/apple-icon-180x180.png">
    <link rel="icon" type="image/png" href="/favicon-32x32.png" sizes="32x32">
    <link rel="icon" type="image/png" href="/android-chrome-192x192.png" sizes="192x192">
    <link rel="icon" type="image/png" href="/favicon-96x96.png" sizes="96x96">
    <link rel="icon" type="image/png" href="/favicon-16x16.png" sizes="16x16">
    <link rel="manifest" href="/manifest.json">
    <meta name="apple-mobile-web-app-title" content="Elastic">
    <meta name="application-name" content="Elastic">
    <meta name="msapplication-TileColor" content="#ffffff">
    <meta name="msapplication-TileImage" content="/mstile-144x144.png">
    <meta name="theme-color" content="#ffffff">
    <meta name="naver-site-verification" content="936882c1853b701b3cef3721758d80535413dbfd">
    <meta name="yandex-verification" content="d8a47e95d0972434">
    <meta name="localized" content="true">
    <meta name="st:robots" content="follow,index">
    <meta property="og:image" content="https://www.elastic.co/static/images/elastic-logo-200.png">
    <link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">
    <link rel="icon" href="/favicon.ico" type="image/x-icon">
    <link rel="apple-touch-icon-precomposed" sizes="64x64" href="/favicon_64x64_16bit.png">
    <link rel="apple-touch-icon-precomposed" sizes="32x32" href="/favicon_32x32.png">
    <link rel="apple-touch-icon-precomposed" sizes="16x16" href="/favicon_16x16.png">
    <!-- Give IE8 a fighting chance -->
    <!--[if lt IE 9]>
    <script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
    <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
    <![endif]-->
    <link rel="stylesheet" type="text/css" href="/guide/static/styles.css">
  </head>

  <!--© 2015-2021 Elasticsearch B.V. Copying, publishing and/or distributing without written permission is strictly prohibited.-->

  <body>
    <!-- Google Tag Manager -->
    <script>dataLayer = [];</script><noscript><iframe src="//www.googletagmanager.com/ns.html?id=GTM-58RLH5" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>
    <script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src= '//www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f); })(window,document,'script','dataLayer','GTM-58RLH5');</script>
    <!-- End Google Tag Manager -->

    <!-- Global site tag (gtag.js) - Google Analytics -->
    <script async src="https://www.googletagmanager.com/gtag/js?id=UA-12395217-16"></script>
    <script>
      window.dataLayer = window.dataLayer || [];
      function gtag(){dataLayer.push(arguments);}
      gtag('js', new Date());
      gtag('config', 'UA-12395217-16');
    </script>

    <!--BEGIN QUALTRICS WEBSITE FEEDBACK SNIPPET-->
    <script type="text/javascript">
      (function(){var g=function(e,h,f,g){
      this.get=function(a){for(var a=a+"=",c=document.cookie.split(";"),b=0,e=c.length;b<e;b++){for(var d=c[b];" "==d.charAt(0);)d=d.substring(1,d.length);if(0==d.indexOf(a))return d.substring(a.length,d.length)}return null};
      this.set=function(a,c){var b="",b=new Date;b.setTime(b.getTime()+6048E5);b="; expires="+b.toGMTString();document.cookie=a+"="+c+b+"; path=/; "};
      this.check=function(){var a=this.get(f);if(a)a=a.split(":");else if(100!=e)"v"==h&&(e=Math.random()>=e/100?0:100),a=[h,e,0],this.set(f,a.join(":"));else return!0;var c=a[1];if(100==c)return!0;switch(a[0]){case "v":return!1;case "r":return c=a[2]%Math.floor(100/c),a[2]++,this.set(f,a.join(":")),!c}return!0};
      this.go=function(){if(this.check()){var a=document.createElement("script");a.type="text/javascript";a.src=g;document.body&&document.body.appendChild(a)}};
      this.start=function(){var a=this;window.addEventListener?window.addEventListener("load",function(){a.go()},!1):window.attachEvent&&window.attachEvent("onload",function(){a.go()})}};
      try{(new g(100,"r","QSI_S_ZN_emkP0oSe9Qrn7kF","https://znemkp0ose9qrn7kf-elastic.siteintercept.qualtrics.com/WRSiteInterceptEngine/?Q_ZID=ZN_emkP0oSe9Qrn7kF")).start()}catch(i){}})();
    </script><div id="ZN_emkP0oSe9Qrn7kF"><!--DO NOT REMOVE-CONTENTS PLACED HERE--></div>
    <!--END WEBSITE FEEDBACK SNIPPET-->

    <div id="elastic-nav" style="display:none;"></div>
    <script src="https://www.elastic.co/elastic-nav.js"></script>

    <!-- Subnav -->
    <div>
      <div>
        <div class="tertiary-nav d-none d-md-block">
          <div class="container">
            <div class="p-t-b-15 d-flex justify-content-between nav-container">
              <div class="breadcrum-wrapper"><span><a href="/guide/" style="font-size: 14px; font-weight: 600; color: #000;">Docs</a></span></div>
            </div>
          </div>
        </div>
      </div>
    </div>

    <div class="main-container">
      <section id="content">
        <div class="content-wrapper">

          <section id="guide" lang="en">
            <div class="container">
              <div class="row">
                <div class="col-xs-12 col-sm-8 col-md-8 guide-section">
                  <!-- start body -->
                  <div class="page_header">
<strong>IMPORTANT</strong>: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
<a href="../current/index.html">current release documentation</a>.
</div>
<div id="content">
<div class="breadcrumbs">
<span class="breadcrumb-link"><a href="index.html">Elasticsearch Guide [7.7]</a></span>
»
<span class="breadcrumb-link"><a href="modules-scripting.html">Scripting</a></span>
»
<span class="breadcrumb-node">Scripting and security</span>
</div>
<div class="navheader">
<span class="prev">
<a href="modules-scripting-fields.html">« Accessing document fields and special variables</a>
</span>
<span class="next">
<a href="modules-scripting-painless.html">Painless scripting language »</a>
</span>
</div>
<div class="chapter">
<div class="titlepage"><div><div>
<h2 class="title">
<a id="modules-scripting-security"></a>Scripting and security<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/docs/reference/scripting/security.asciidoc">edit</a>
</h2>
</div></div></div>
<p>While Elasticsearch contributors make every effort to prevent scripts from
running amok, security is something best done in
<a href="https://en.wikipedia.org/wiki/Defense_in_depth_(computing)" class="ulink" target="_top">layers</a> because
all software has bugs and it is important to minimize the risk of failure in
any security layer. Find below rules of thumb for how to keep Elasticsearch
from being a vulnerability.</p>
<h3>
<a id="_do_not_run_as_root"></a>Do not run as root<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/docs/reference/scripting/security.asciidoc">edit</a>
</h3>
<p>First and foremost, never run Elasticsearch as the <code class="literal">root</code> user as this would
allow any successful effort to circumvent the other security layers to do
<span class="strong strong"><strong>anything</strong></span> on your server. Elasticsearch will refuse to start if it detects
that it is running as <code class="literal">root</code> but this is so important that it is worth double
and triple checking.</p>
<h3>
<a id="_do_not_expose_elasticsearch_directly_to_users"></a>Do not expose Elasticsearch directly to users<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/docs/reference/scripting/security.asciidoc">edit</a>
</h3>
<p>Do not expose Elasticsearch directly to users, instead have an application
make requests on behalf of users. If this is not possible, have an application
to sanitize requests from users. If <span class="strong strong"><strong>that</strong></span> is not possible then have some
mechanism to track which users did what. Understand that it is quite possible
to write a <a class="xref" href="search.html" title="Search APIs"><code class="literal">_search</code></a> that overwhelms Elasticsearch and brings down
the cluster. All such searches should be considered bugs and the Elasticsearch
contributors make an effort to prevent this but they are still possible.</p>
<h3>
<a id="_do_not_expose_elasticsearch_directly_to_the_internet"></a>Do not expose Elasticsearch directly to the Internet<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/docs/reference/scripting/security.asciidoc">edit</a>
</h3>
<p>Do not expose Elasticsearch to the Internet, instead have an application
make requests on behalf of the Internet. Do not entertain the thought of having
an application "sanitize" requests to Elasticsearch. Understand that it is
possible for a sufficiently determined malicious user to write searches that
overwhelm the Elasticsearch cluster and bring it down. For example:</p>
<p>Good:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
Users type text into a search box and the text is sent directly to a
<a class="xref" href="query-dsl-match-query.html" title="Match query">Match</a>, <a class="xref" href="query-dsl-match-query-phrase.html" title="Match phrase query">Match phrase</a>,
<a class="xref" href="query-dsl-simple-query-string-query.html" title="Simple query string query">Simple query string</a>, or any of the <a class="xref" href="search-suggesters.html" title="Suggesters">Suggesters</a>.
</li>
<li class="listitem">
Running a script with any of the above queries that was written as part of
the application development process.
</li>
<li class="listitem">
Running a script with <code class="literal">params</code> provided by users.
</li>
<li class="listitem">
User actions makes documents with a fixed structure.
</li>
</ul>
</div>
<p>Bad:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
Users can write arbitrary scripts, queries, <code class="literal">_search</code> requests.
</li>
<li class="listitem">
User actions make documents with structure defined by users.
</li>
</ul>
</div>
<h3>
<a id="modules-scripting-other-layers"></a>Other security layers<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/docs/reference/scripting/security.asciidoc">edit</a>
</h3>
<p>In addition to user privileges and script sandboxing Elasticsearch uses the
<a href="http://www.oracle.com/technetwork/java/seccodeguide-139067.html" class="ulink" target="_top">Java Security Manager</a>
and native security tools as additional layers of security.</p>
<p>As part of its startup sequence Elasticsearch enables the Java Security Manager
which limits the actions that can be taken by portions of the code. Painless
uses this to limit the actions that generated Painless scripts can take,
preventing them from being able to do things like write files and listen to
sockets.</p>
<p>Elasticsearch uses
<a href="https://en.wikipedia.org/wiki/Seccomp" class="ulink" target="_top">seccomp</a> in Linux,
<a href="https://www.chromium.org/developers/design-documents/sandbox/osx-sandboxing-design" class="ulink" target="_top">Seatbelt</a>
in macOS, and
<a href="https://msdn.microsoft.com/en-us/library/windows/desktop/ms684147" class="ulink" target="_top">ActiveProcessLimit</a>
on Windows to prevent Elasticsearch from forking or executing other processes.</p>
<p>Below this we describe the security settings for scripts and how you can
change from the defaults described above. You should be very, very careful
when allowing more than the defaults. Any extra permissions weakens the total
security of the Elasticsearch deployment.</p>
<h3>
<a id="allowed-script-types-setting"></a>Allowed script types setting<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/docs/reference/scripting/security.asciidoc">edit</a>
</h3>
<p>By default all script types are allowed to be executed.  This can be modified using the
setting <code class="literal">script.allowed_types</code>.  Only the types specified as part of the setting will be
allowed to be executed.  To specify no types are allowed, set <code class="literal">script.allowed_types</code> to
be <code class="literal">none</code>.</p>
<div class="pre_wrapper lang-yaml">
<pre class="programlisting prettyprint lang-yaml">script.allowed_types: inline <a id="CO281-1"></a><i class="conum" data-value="1"></i></pre>
</div>
<div class="calloutlist">
<table border="0" summary="Callout list">
<tr>
<td align="left" valign="top" width="5%">
<p><a href="#CO281-1"><i class="conum" data-value="1"></i></a></p>
</td>
<td align="left" valign="top">
<p>This will allow only inline scripts to be executed but not stored scripts
(or any other types).</p>
</td>
</tr>
</table>
</div>
<h3>
<a id="allowed-script-contexts-setting"></a>Allowed script contexts setting<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/docs/reference/scripting/security.asciidoc">edit</a>
</h3>
<p>By default all script contexts are allowed to be executed.  This can be modified using the
setting <code class="literal">script.allowed_contexts</code>.  Only the contexts specified as part of the setting will
be allowed to be executed.  To specify no contexts are allowed, set <code class="literal">script.allowed_contexts</code>
to be <code class="literal">none</code>.</p>
<div class="pre_wrapper lang-yaml">
<pre class="programlisting prettyprint lang-yaml">script.allowed_contexts: score, update <a id="CO282-1"></a><i class="conum" data-value="1"></i></pre>
</div>
<div class="calloutlist">
<table border="0" summary="Callout list">
<tr>
<td align="left" valign="top" width="5%">
<p><a href="#CO282-1"><i class="conum" data-value="1"></i></a></p>
</td>
<td align="left" valign="top">
<p>This will allow only scoring and update scripts to be executed but not
aggs or plugin scripts (or any other contexts).</p>
</td>
</tr>
</table>
</div>
</div>
<div class="navfooter">
<span class="prev">
<a href="modules-scripting-fields.html">« Accessing document fields and special variables</a>
</span>
<span class="next">
<a href="modules-scripting-painless.html">Painless scripting language »</a>
</span>
</div>
</div>

                  <!-- end body -->
                </div>
                <div class="col-xs-12 col-sm-4 col-md-4" id="right_col">
                  <div id="rtpcontainer" style="display: block;">
                    <div class="mktg-promo">
                      <h3>Most Popular</h3>
                      <ul class="icons">
                        <li class="icon-elasticsearch-white"><a href="https://www.elastic.co/webinars/getting-started-elasticsearch?baymax=default&amp;elektra=docs&amp;storm=top-video">Get Started with Elasticsearch: Video</a></li>
                        <li class="icon-kibana-white"><a href="https://www.elastic.co/webinars/getting-started-kibana?baymax=default&amp;elektra=docs&amp;storm=top-video">Intro to Kibana: Video</a></li>
                        <li class="icon-logstash-white"><a href="https://www.elastic.co/webinars/introduction-elk-stack?baymax=default&amp;elektra=docs&amp;storm=top-video">ELK for Logs &amp; Metrics: Video</a></li>
                      </ul>
                    </div>
                  </div>
                </div>
              </div>
            </div>
          </section>

        </div>


<div id="elastic-footer"></div>
<script src="https://www.elastic.co/elastic-footer.js"></script>
<!-- Footer Section end-->

      </section>
    </div>

<script src="/guide/static/jquery.js"></script>
<script type="text/javascript" src="/guide/static/docs.js"></script>
<script type="text/javascript">
  window.initial_state = {}</script>
  </body>
</html>
